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Dear Mr. Enria, 


We are writing to you with regards to the Regulatory Technical Standards for strong customer authentication (“SCA”) 
and common and secure open standards of communication (“RTS”) under PSD2. 


We fully support the aims of PSD2 and the RTS to ensure fair competition, innovation and security in the payment 
services sector. However we continue to have serious technical concerns on the definition of authentication factors 
as defined in the Opinion of the European Banking Authority on the implementation of the RTS (EBA-Op-201 8-04) 
published on 18 June 2018. 


The EBA wrote: Given that knowledge is defined as ‘something only the user knows’, the card number with CVV 
and expiry date printed on the card cannot be considered a knowledge element. This is also the case for a user ID. 
For a device to be considered possession, there needs to be a reliable means to confirm possession through the 
generation or receipt of a dynamic validation element on the device. 


Whilst we agree that the card number with CVV is a questionable authentication factor on its own, the whole purpose 
of strong customer authentication is to layer the level of security with two or more independent factors and it is that 
layering approach alongside the fraud checks that are performed which makes SCA secure. 


For remote commerce, as an example, the combination of knowing the card number, CVV and possessing a one- 
time password delivered to a personal device is a very effective authentication method; knowing that authentication 
only takes places after a background transaction risk analysis where multiple fraud checks are performed behind 
the scene, which will be greatly enhanced with the new version of 3DS that we are deploying. 


For transactions that are authenticated today using 3DS, with card details and one time passcode as the 
authentication factors, the fraud rate is less than 6 BPS. 


We are committed to evolve authentication to include new technologies such as biometrics, however it would be 
challenging for issuers to deploy such new authentication methods before 14 September 2019 as we would be 
relying heavily on a positive consumer adoption. No prior recommendation, guidelines or consultation has prepared 
the industry for this very complex step change. For example, not all devices have biometric hardware and not all 
consumers have access to them. 


EPIF c/o Afore Consulting European Payment Institutions Federation aisbl 


Rue de la Science 14B | B-1040 Brussels Belgium | Phone: +32 2 588 13 03 Page 1 of 2 


Se |= 


European Payment Institutions Federation aisbl 


The EBA’s disapplication of card number with CVV and expiry date as a ‘knowledge’ factor will have disastrous 
effect on remote commerce and will adversely impact customers, retailers and all stakeholders of the payment 
ecosystem by introducing unnecessary friction and abandonment at checkout. 


For the reasons outlined above, we strongly appeal to the EBA to revise their opinion to keep card number and CVV 
as a valid authentication factor and phase it out within the next three years to allow time for the industry to deploy 
alternative authentication methods without disrupting payments. 


We would welcome further discussions on this important topic should the EBA so wish. 


Yours sincerely, 


Elie Beyrouthy, Chair of EPIF Christian Verschueren, Director General of 
Eurocommerce 
so Scat ae ve a 4 
a ee , ; 
Frederik Palm, President of EMOTA Una Dillon, Managing Director, MRC EU 


Cecilia Bonefeld-Dahl, Director-General of Marlene ten Ham, Secretary General, Ecommerce 
DIGITALEUROPE Europe 


EPIF c/o Afore Consulting European Payment Institutions Federation aisbl 


Rue de la Science 14B | B-1040 Brussels Belgium | Phone: +32 2 588 13 03 Page 2 of 2 


